Nginx
Aus Alexander's Wiki
Nginx installieren
Debian / Ubuntu
sudo apt update
sudo apt install nginx -y
CentOS
sudo yum install epel-release -y
sudo yum install nginx -y
Zusätzliche Befehle
Nginx starten und automatisch starten lassen:
systemctl start nginx
systemctl enable nginx
Wenn Änderungen in der Konfiguration vorgenommen werden, muss nginx neu gestartet werden:
sudo systemctl reload nginx
Ports auf den nginx läuft:
netstat -plntu
Firewall konfigurieren
UFW Firewall
ufw allow ssh
ufw enable
ufw allow http
ufw allow https
ufw status
Firewalld
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload
firewall-cmd --list-services
ssh ist standardmäßig aktiviert.
Letsencrypt
Installation
Debian / Ubuntu
sudo apt install letsencrypt -y
cd /etc/nginx/
vim snippets/certbot.conf
einfügen:
location /.well-known {
alias /var/www/html/.well-known;
}
Bearbeiten Sie nun die standardmäßige virtuelle Nginx-Hostdatei.
vim sites-available/default
Fügen Sie folgende Konfiguration unter den Blöcken ’server {..}‘ hinzu.
include snippets/certbot.conf;
CentOS
sudo yum install certbot -y
cd /etc/nginx/
vim default.d/certbot.conf
einfügen
location /.well-known {
alias /usr/share/nginx/html/.well-known;
}
Nginx neu starten
SSL letsencrypt Zertifikate installieren
Debian / Ubuntu
certbot certonly --rsa-key-size 4096 --webroot --agree-tos --no-eff-email --email mail@akluge.de -w /var/www/html -d kluge-pferde.de
CentOS
certbot certonly --rsa-key-size 4096 --webroot --agree-tos --no-eff-email --email mail@akluge.de -w /usr/share/nginx/html -d kluge-pferde.de
Wenn es vollständig ist, erhält man alle SSL-Zertifikatsdateien für den Domainnamen im Verzeichnis ‚/etc/letsencrypt/live‘.
Zusätzliche Sicherheit
Um eine zusätzliche Sicherheit zu erhalten, werden wir den DHPARAM-Schlüssel’4096′ mit dem OpenSSL-Befehl wie unten gezeigt erzeugen.
openssl dhparam -out /etc/nginx/dhparam.pem 4096
Der DHPARAM-Schlüssel wurde in das Verzeichnis’/etc/nginx‘ generiert.
SSL-Konfiguration
Debian / Ubuntu
cd /etc/nginx/
vim snippets/ssl.conf
CentOS
cd /etc/nginx/
vim default.d/ssl.conf
Dort einfügen:
# Specify the TLS versions
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# Ciphersuites recommendation from the chiper.li
# Use this chipersuites to get 100 points of the SSLabs test
# Some device will not support
#ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384";
# Mozilla Ciphersuits Recommendation
# Use this for all devices supports
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# Use the DHPARAM key and ECDH curve >= 256bit
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/nginx/dhparam.pem;
server_tokens off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Enable HTTP Strict-Transport-Security
# If you have a subdomain of your site,
# be carefull to use the 'includeSubdomains' options
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# Enable OSCP Stapling for Nginx web server
# If you're using the SSL from Letsencrypt,
# use the 'chain.pem' certificate
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/kluge-pferde.de/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# XSS Protection for Nginx web server
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-Robots-Tag none;
Weiterleitung von HTTP nach HTTPS
http.conf
Erstellen von /etc/nginx/sites-available/http.conf und in das Verzeichnis sites-enabled verlinken.
server {
listen 80;
server_name kluge-pferde.de www.kluge-pferde.de;
return 301 https://www.kluge-pferde.de$request_uri;
}
ssl.conf
Erstellen von /etc/nginx/sites-available/ssl.conf und in das Verzeichnis sites-enabled verlinken.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/app/webroot;
index index.html index.php index.htm;
server_name kluge-pferde.de;
# access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
rewrite_log on;
ssl_certificate /etc/letsencrypt/live/kluge-pferde.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/kluge-pferde.de/privkey.pem;
client_max_body_size 100M;
# SSL Configuration
include snippets/ssl.conf;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# Static files.
location ~ /.well-known {
allow all;
}
# Set expire headers, Turn off access log
location ~* \favicon.ico$ {
access_log off;
expires 1d;
add_header Cache-Control public;
}
location ~ ^/(img|cjs|ccss)/ {
access_log off;
expires 7d;
add_header Cache-Control public;
}
# Deny access to .htaccess files,
# git & svn repositories, etc
location ~ /(\.ht|\.git|\.svn) {
deny all;
}
}
SSL Konfiguration testen
https://www.ssllabs.com/ssltest/
CGI / PHP / CakePHP Einstellungen
# Not found this on disk?
# Feed to CakePHP for further processing!
if (!-e $request_filename) {
rewrite ^/(.+)$ /index.php?url=$1 last;
break;
}
# Pass the PHP scripts to FastCGI server
# listening on 127.0.0.1:9000
# location ~ \.php$ {
# fastcgi_pass unix:/tmp/php.socket;
# #fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_intercept_errors on; # to support 404s for PHP files not found
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# }
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# With php5-cgi alone:
#fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
